[clamav-users] PUA.Script.PDF.EmbeddedJS-1

Al Varnell alvarnell at mac.com
Tue Sep 1 22:58:49 EDT 2015

On Tue, Sep 01, 2015 at 07:01 PM, aklist wrote:
> On 9/1/2015 8:28 PM, Al Varnell wrote:
>> Let me start by saying that I don’t recall an engine update ever flagging less files as infected.  If anything, they would enable even more signatures to identify more files, so I’m confident that PUA.Script.PDF.EmbeddedJS-1 would work exactly the same with today’s engine.
>> But more importantly is the conclusion that this is a False Positive.  Potentially Unwanted Application / Process (PUA/PUP) detections are almost never False Positives (although I did verify one once a few years ago).  In this case the signature would appear to have identified a PDF document that contains javascript.  That’s all it’s warning you about.  If that’s what you expected from this document then ignore it and get on with your work.  If you are surprised by such a thing, then perhaps you should take another look at it to see what it does and if it could be malicious.
>> Of course, chances are extremely high that even a malicious javascript would be Windows based and no threat to a Mac, but that’s probably beside the point.
> Thanks Al for that information. The machine that detected it is a mailserver, and the final recipient would have been a Windows machine.

I should have guessed that as I knew you wouldn’t have an older version of the engine unless you were running Snow Leopard server.

> The only references to it being a false positive are several years old, and since this version of ClamAV is from a similar "vintage" I wanted to make sure that the signature hadn't been deemed "not a threat" in later versions of ClamAV.

No, the signature database is maintained independently of the engine, so any whitelisting would have been to the database which is common to all supported engines.


> On Tue, Sep 01, 2015 at 03:37 PM, aklist wrote:
>>> Hi All: A PDF attachment to an email was scanned by clamAV and found to have the following virus: PUA.Script.PDF.EmbeddedJS-1
>>> I googled around on this and found some reports that it's a false positive. I'm still running 0.96.1 on MacOS 10.6.8, and I realize that it is out of date, but I was curious if later versions of clamAV would also flag this virus?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3569 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20150901/5c1e9afe/attachment.bin>

More information about the clamav-users mailing list